An error occurred:

Check: NET-SDN-008

SDN Using NV STIG: NET-SDN-008 (in version v1 r1)

Title

Southbound API management plane traffic for configuring SDN parameters on physical network elements must be authenticated using DOD PKI certificate-based authentication. (Cat II impact)

Discussion

Physical SDN-enabled switches are dependent on the SDN controller for their forwarding tables as well as their configuration and service parameters. This information is provided to the switches via SDN management plane protocols such as Network Configuration Protocol (NETCONF) and Open vSwitch Database Management Protocol (OVSDB). The latter provides configuration support for OpenFlow-enabled switches such as Open vSwitch, as well as many vendor switches. Without authenticating management packets, physical switches within the SDN infrastructure could receive fictitious information from a rogue management system that could shut down interfaces, thereby altering the physical network topology. By altering the network topology, the attacker would have the ability to force traffic to bypass security controls. Legitimate traffic could be dropped by deploying access control lists to active interfaces. Spoofed management plane traffic generated by a rogue management system could result in a denial-of-service attack on the switches, resulting in a network outage.

Check Content

Review both management and orchestration systems, as well as all SDN controllers and physical SDN-enabled network elements that compose the network virtualization platform (NVP), to determine if certificate-based authentication is used to ensure the authenticity and integrity of southbound API management messages. If southbound API management plane traffic is not authenticated using DOD PKI certificates, this is a finding.

Fix Text

Deploy DOD PKI certificates to all orchestration systems, management systems, and physical SDN-enabled network elements. Configure these components to use the certificates to authenticate southbound API management messages.

Additional Identifiers

Rule ID: SV-87739r1_rule

Vulnerability ID: V-73087

Group Title: NET-SDN-008

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000186

For public key-based authentication, enforce authorized access to the corresponding private key.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5(2)

Pki-based Authentication